Broken isolation of SecureStorage and AsyncStorage

#1

Hi!

I’m seeing weird cross-app leakage for AsyncStorage and SecureStorage, which I thought was impossible. Here’s the setup:

  • I have built two standalone builds of my app from the same sourcecode.
  • One is published to appstoresconnect under ‘com.company.app’ and the other under ‘com.company.app.beta’.
  • I have both installed on my physical iOS device.
  • When I log in to ‘com.company.app’, which is pointed at our production instance, it works.
  • Then, when I open ‘com.company.app.beta’, which is pointed at our staging instance, I get 403 responses because I’m trying to use production creds to authenticate against staging.
  • When I then log out of ‘com.company.app.beta’ (which I never intentionally logged in to), I can log in and it works.
  • When I re-open ‘com.company.app’ I am now logged out.

I’m using the same asyncstorage/securestorage keys for com.company.app and com.company.app.beta, and I’m not trying to do anything crazy here. I’m very confident that both apps are observing the same AsyncStorage/SecureStorage.

Has anyone experienced this issue? I’m deeply confused because I was under the impression that apps with different bundle identifiers had different sandboxes.

#2

There is a way to share data (at the iOS Cocoa level) between apps but I believe you need to go out of your way to do that and it’s not part of Expo. iOS may have changed behavior to look at app bundle prefixes and share data between them but this isn’t anything Expo intentionally does.

#3

That makes sense and jibes with my understanding of reality. I’ll try changing the app bundles to be prefix-free and see if that resolves the issue.

closed #4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.